The cloud has opened a new world for healthcare organizations. By offering benefits in terms of cost savings, reliability, and availability, to name a few, it has paved the way to a “paradigm shift in how we approach technology,” said Sahan Fernando, CISO at Rady Children’s Hospital.
However, the dramatic increase in storage also means an “expanded attack surface,” which has significant implications in terms of security and cost, particularly if not managed effectively. During a recent discussion, Fernando and co-panelists Chris Akeroyd (CIO, Children’s Health) and Chris Bowen (CISO and founder, ClearDATA) discussed the unique challenges of migrating to the cloud, and shared advice based on their experiences about how to alleviate them.
One of the biggest hurdles from a cybersecurity standpoint is cloud sprawl, according to Bowen. Without the right controls in place, “it’s very easy to let your team start spinning things up,” he noted. “It’s important to decide what you want to do first in the cloud,” and assign proper controls.
For Rady Children’s, which is relatively early in the journey, the strategy has been to “lead with security,” noted Fernando. “The earlier we’re involved, the more we can help,” not just from an information security standpoint, but in terms of the overall process. “We’ve identified plenty of instances where we’ve said, ‘This looks great on paper, but what does it mean operationally? What does it mean from a true cost perspective? What is the actual business process we’re supporting?’”
By asking difficult questions, security leaders can conduct a more thorough risk assessment that looks at authorization and access controls, telemetry, and other critical factors. The goal is to “ensure a reasonable amount of due diligence without being too much of a roadblock,” he said. At the same time, it’s important that teams throughout the organization — and not just IT and security — understand that the risk is never zero, and that there’s agreement as to what risks are acceptable.
This is where security firms like ClearDATA can help fill a need, noted Bowen. “It can be complicated. If you’re going to hike up the tallest mountain in the world, you don’t want to do it by yourself. The journey to the cloud is a shared responsibility.”
Part of the responsibility for ClearData, which recently earned its fifth HITRUST certification, is to help customers identify workloads that are ready for the cloud, and to avoid mistakes like doing a ‘lift and shift’ that can hinder potential cost savings. They also work to ensure HIPAA compliance and maintain secure environments, which in turn enables teams to “innovate without having to understand all of the intricacies,” Bowen said.
One critical aspect is threat intelligence, which is a “baseline requirement,” according to Akeroyd. “We manage our assets and inventory very closely, whether it’s native cloud, SaaS or on-prem, but getting information and correlating that to our known assets is key to what we do,” he noted.
Threat intelligence can also help inform IOCs (indicators of compromise) retroactively and enable organizations to share data on important factors such as how bad actors gained access, escalated privileges, or moved laterally. And while that may not exactly sound groundbreaking, it’s a major step forward in the cybersecurity world.
“It comes down to how to apply it in a way makes a difference,” said Bowen. By having access to information from hundreds of organizations, ClearDATA can analyze behaviors and employ defensive measures “across the fleet in a very automated way.”
“Layers of review”
Security, however, is just one piece — albeit an important one. There are other factors that play a critical role in the success of any cloud initiative, including governance. Having a solid structure in place can help establish priorities and reduce cloud sprawl, which, if left unchecked, can wreak havoc on a strategy, said Bowen. On the other hand, role-based access controls can help leaders gain a better sense of what’s going into the cloud and who is managing it. “It’s wrapping policies and procedures around your ability to move quickly.”
Without these measures in place — along with a strong contract review process — costs can quickly escalate, according to Fernando. “That’s huge,” he said, noting that all statements of work and master service agreements must get signoff from IT, then undergo more layers of review.
Similarly, Children’s Health has taken a strong stance when it comes to approvals, said Akeroyd. “Everything has to funnel through various groups — not just IT, but also legal, privacy, financial, and others” to ensure proper support is available, while also validating purchases from a security standpoint. “It’s not foolproof, but it’s a good start.”
Vendor partners can also play a key role, said Bowen, whose team will reach out to organizations if there’s a spike in cloud spending and make sure it was intentional. “It’s getting out of the way of our customers so that they can deploy the cloud when they need to, but do so in a way that accomplishes their goals and aligns with their financial requirements,” he said. “It’s an empowerment strategy.”
Pushing the boundaries
The last — and arguably most important — component of migrating to the cloud is the skillset, which is often overlooked, according to Akeroyd. “You need to make sure you have knowledgeable people architecting and securing these environments,” he said. “You need people who are deeply educated in the various platforms. We need to be able to see the threats and respond to them appropriately.”
Part of that is making sure individuals who are in the trenches doing the maintenance and infrastructure work are empowered, said Fernando. “They need to understand why certain controls are in place.”
He believes one of the keys to developing and nurturing talent is to let people “try and fail gracefully,” and in a way that doesn’t impact either operations or patient care. Another is to invest in education, whether it’s training courses or security conferences, and providing the “time and space to explore new areas,” noted Fernando, who encouraged colleagues to hold one-on-ones with team members to make sure they’re pursuing career development opportunities.
“If there’s something that might be a complimentary or adjacent skillset that we need, I’m going to challenge you to go outside of your comfort zone,” he said. “Part of leadership is helping people push the boundaries. That’s where the magic happens.”
To view the archive of this webinar — Leveraging Threat Intelligence to Secure Your Cloud Environment (Sponsored by ClearDATA) — please click here.